RT @wemdevries: How well prepared are you for GDPR? Did you read and test any of the creations by @constantk ? It was part of my training @universityofMaastricht to become certified DPO and it is useful to test the compliancy of your company with GDPR. #… https://t.co/vNbDl0GBZd
— Constantine K (@constantk) April 25, 2018
(Originally posted on LinkedIn, May 15 2017)
I am looking forward to the next IAPP Canada Symposium, as I always do, and this time I am wondering if now Canadian companies are finally going to start doing something about the #GDPR. I spoke two years ago about the state of our laws; I spoke last year about what Canadian companies need to do with regard to complying with the GDPR.
The reason for the title is simple; we have been very comfortable with our ‘adequacy’ finding, but the transfer of data under our adequacy finding is not by itself adequate to deal with the requirements of GDPR. In contrast, there is work being frantically done in the US and the EU to address GDPR compliance. Until this point, the understanding that GDPR means something consequential for Canada, has not seemed to instigate more than conversations about possibly getting someone on board to take charge. But time is running out; as of May 15, 2017 there are only 263 working days, not including vacations, between now and May 25, 2018 when GDPR comes into effect.
If a Canadian company is doing business in Europe, then yes it can (with certain qualifications) bring personal data without need of model clause agreements or other mechanisms. However, that does not meet all the requirements of the GDPR. Canadian companies must if collecting information from EU residents act in all respects as a European company would – notably:
- The right to be forgotten – Canadian companies have to be able to act on a request by a European customer
- Record keeping requirements – you will need to have your Article 30 records of processing, just as any EU company would
- Data protection impact assessments – you will need processes to meet Article 35’s requirements when you trigger its requirements, and document your DPIAs
- Appointment of DPO where warranted – you may need to have someone appointed as a DPO, perhaps in individual countries, where your business is primarily processing personal data, and the expectations for this may rise depending on national derogations
- Onward transfers – Article 28 of the GDPR requires adequate protection for onward transfers from Canada elsewhere, as well as restrictions without the controller’s approval
- Representative office in Europe – if you don’t have a physical presence there, you will need to appoint a representative office
- Data breach reporting – new for a lot of Canadian organizations, you will need to report within 72 hours a data breach to your lead regulator (and of course, you know who that is, right?)
- Enforcement – fines of up to 4% of global revenue or EU20 million, whichever is greater
If you are a data processor – a service provider to an EU company – then you are not off the hook. The obligations will be passed on by contract to you in any event through data transfer agreements as your customer are obliged to do so – and you are also subject to the requirements of the GDPR directly, for pretty much the same things I have set out above. The fines will be 2% of global revenue or EU10 million, but note this doesn’t let your client (the processor) off the hook – you can both be found liable independently.
What can Canadian companies do? There are no silver bullets; this is going to require work. You need to update your #privacy program to address the requirements of the GDPR. Some Canadian companies, because they have been doing what they should under PIPEDA or provincial laws, will be in a good position with some additional activities and capabilities. For the rest, it is quickly going to become a question of what they can do in the time that remains, and it means prioritizing based upon risk.
In any event, if you don’t have a plan, now is the time to get moving on it.
(Originally posted on LinkedIn, May 15, 2017)
The GDPR provides for a number of remedies for individuals in regards to their personal data, that will put companies through their paces:
- the right to be forgotten and erasure;
- data portability; and
- objection to and restrictions on processing.
The natural next step when someone has written you an annoying letter to find out what a company knows about a data subject, and how it is handling their personal data, is for the author to start exercising those rights.
This gets harder to do in the natural flow of a letter, because of course, the exercise of these rights can arise in so many scenarios. I wanted to highlight individual elements of what data subjects can ask under the GDPR. They may not all come at once, but through the death of a thousand paper cuts, in a series of postcards from hell:
1. Let’s get rectified.
Based on the information that you have provided to me in my subject-access request, it appears you have collected a profile on me based on my purchases. The fact that I am buying a lot of toilet paper is no one’s concern but my own; and it is not due to anything other than I have a lot of guests, not as is implied in the profile, that I am having some kind of organic issues. Please rectify this as soon as possible, as I now understand why I am receiving invitations to purchase medication.
2. Transfer this.
I note that you have been transferring my personal data, namely my meal choices on flights, to the United States, and you have indicated that the basis on which you are making that transfer is based upon the EU-US PNR Agreement. The inferences being drawn from my being a vegetarian are that I am in a suspect group and am being profiled on that basis, which is why I am routinely pulled aside for “random” searches whenever I visit the United States. I request that you delete all information concerning my meal choices that you have collected on me.
3. Your vendor is infectious.
I request you delete my contact information from your customer service vendor in India. I had one interaction to get support for my software a year ago – and now I routinely get calls from India insisting my Windows computer is infected (I own a Macintosh), so your outsourced vendor is not keeping my information confidential. Please confirm that you have followed up with any organization with whom my contact details have been shared with by your vendor. And in future, please restrict processing of my data to my software subscription maintenance.
4. Let my data go.
I have been using your free budget management program on the Internet and now that I understand you are storing my financial and purchase data in countries which have a high rate of identity theft, I no longer wish you to have my data. Prior to deleting it, I would like to ask you to provide all my data in a CSV format that I can use to export to a system which stores its data in the European Union. Please use the attached schema which will support the import into the new system I wish to use.
5. Taking a gamble you have it right.
I have been receiving direct mail from you both by the post and in my e-mail. I am in risk management and I attend conferences on privacy and risk management. I assume that is how you got my contact information, but I do not understand how this got linked to gambling. I don’t find gambling interesting and I don’t know why you would assume that I would want your magazine on gambling, or your e-mails to let me know about gambling events, and the connection with gambling is embarrassing and potentially damaging to my career. Stop sending me anything more and remove my name and address from your lists in relation to gambling.
(Yes, the last one happened to me).
(Originally posted on LinkedIn, April 3 2017)
So let’s imagine how the letter from hell has been answered in a typical organization. All these annoying questions have been asked, and they may have to be answered. The scope of the answers will depend on the context of what the subject is legitimately making a complaint or inquiry about.
If you are not prepared and do not have an adequate picture of your data processing activities and privacy management processes, then answering any subject-access request will be time consuming. You won’t even know who knows the answers to some of these questions, and in your exploration of your companies’ subterranean caverns of data processing, you come up against the deadline.
So naturally, you have written back initially in the one-month period following the subject-access request, to advise that you will require a further two months (Article 12(3) GDPR). And despite your best efforts and intentions to get answers from your IT department, your HR department, marketing and everyone else who presumably should know how this individual’s information is being processed, you find yourself coming up against the extended deadline again.
And you slip over it. Not by much, but you are late. And your answers are, admittedly, a bit vague and perhaps not that persuasive. The data subject does what data subjects will do – they complain to their national or local DPA. And you get another letter…
The DPA Inquires…
Dear Sir, Madam,
On <date>, the <jurisdiction> DPA has received a complaint from <name>, following a data subject access request filed with your company on <date access request>. <Name> has asserted that the processing of his/her data by your organisation, is infringing his/her fundamental right to data protection as laid down in the General Data Protection Regulation (Regulation (EU) 2016/679).
Based on the claims in the complaint, the copies of the correspondence between <name> and <name DPO>, the DPO of your organisation, and in accordance with Articles 57(1)f and 77 of said Regulation, I have decided to open an investigation into the data processing operations of your organisation, and the way you provide access to data subjects’ information processed in your files and systems. I trust that your organisation will cooperate fully with this investigation. I do however stress that, if required, I can order your cooperation under Article 58(1) GDPR.
I request that you provide an answer to the following questions within four weeks of today. Please be so kind as to answer the questions extensively, providing all information, as well as supporting documentation, that you consider relevant for this investigation.
1. <Name> has asked you to provide a digital copy of all information processed by your organisation about him/her. On <date>, you have indeed provided a pdf file, containing the name, address and contact details stored in your systems about <name>. Any further information, including for example the contact <name> has had with your customer service team, seems to be lacking. Also information about <name>’s financial relations with your organisation has not been provided. I therefore request that you provide a full copy of all information your organisation processes about <name>.
2. <Name> has indicated that the pdf file with his/her information you provided, also contained information related to his/her social media accounts, even though that information has never been provided to you by <name>. In line with Article 15(1)g GDPR, please provide information about the provenance of this data.
3. In addition, you have not indicated what information you have concerning the profile you have developed of <name> based upon usage of your website and in response to the input provided by <name> in response to the surveys and other mechanisms you have provided to give your organisation feedback. In particular, <name> notes that a third-party organisation processing information on your behalf, places a cookie on users’ computers. This appears to be used to track users’ activities not only on your website, but as users leave and go to other websites, their activities on those websites. Please elaborate.
4. In your correspondence with <name>, you have indicated you process personal data for marketing purposes, without further specification how this information is processed and with which third parties this data is shared. Please elaborate.
5. <Name> also requested that you identify what countries his/her personal data was stored in or accessible from. You indicated that his/her data was stored in a data centre in the United States. However, <name> has pointed out that in calling for support in relation to your <service/product> that s/he was put in touch with customer support representatives in India. Your response therefore is complained of as being inaccurate.
6. <name> specifically requested information concerning use of cloud services to store or process personal data, and your response was that you are not storing his/her personal data in cloud services. Notwithstanding this it is noted that your organization made a public announcement concerning the use of <well-known software company>’s cloud services to augment your processing. Additionally, <name> identified that on at least one occasion s/he was required to exchange files containing personal data with your organisation’s support representatives via <popular file sharing service>.
7. You have provided a list of third-parties with whom you share personal data of <name>, which includes a payment processor as well as a company providing web analytics as noted above. However, your website proudly announced in 2016 a partnership with another third-party to provide related services to assist users with the use of <product/service>, and <name> has in fact received e-mail marketing communications from that partner. You have not listed what information is shared with that partner, nor have you indicated this as a use of the information of <name> in response to the query relating to specific uses of information. You have also not indicated what jurisdiction this partner has stored or has access to <name>’s personal information. Please elaborate on the relation between your company and this partner, as well as the data shared between the two companies.
8. Both in relation to this undisclosed partner as well as your identified third-party processors, you have not indicated if the data is transferred outside of the European Union, and if so, what the legal grounds for transfer of personal data are on which you rely, or your safeguards in relation to the protection of personal data.
9. In response to the question of <name> relating to the retention of personal data, I can only ascertain you have repeated the text of the law, stating personal data is retained “no longer than necessary”. Please provide for each data category and processing purpose the specific retention periods your organisation has decided upon.
10. You have indicated that there had been no breaches of personal data involving <name> as a result of a security or privacy breach. However, <name> has pointed out and I note, that you have notified regulators, namely <State Attorney Generals> in the United States of America, that your company experienced a breach on <date> involving <x,000> individuals in <various states>. This breach arose from a rogue employee accessing and selling personal information from your data centre in the United States, which is where you indicated that data of EU residents is also stored and processed. This information suggests that the EU residents data has also been accessed, or may have been, and I require further details as initially set out in <name>’s letter:
a. Details of each and any such breach at a data centre in the US contained EU residents’ personal data:
b. a general description of what occurred;
c. the date and time of the breach (or the best possible estimate);
d. the date and time the breach was discovered;
e. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);
f. details of the personal data that was disclosed;
g. your company’s assessment of the risk of harm to data subjects, as a result of the breach;
h. a description of the measures taken or that will be taken to prevent further unauthorised access to personal data;
i. what information and advice you provided to affected individuals in the European Union against any harms, including identity theft and fraud.
11. In addition, if it is indeed possible that personal data of EU citizens was or may have been compromised during the breach, I ask you to explain why you have decided not to notify any of the EU data protection authorities until now, as required by Article 33(1) GDPR.
12. Further to the question above, please identify what what mitigating steps you have taken to protect the data of <name> as an EU resident, either prior to or in response to the breach noted above, including
a. Encryption of personal data;
b. Data minimisation strategies; or,
c. Anonymisation or pseudonymisation; or,
d. Any other means.
13. In light of the information concerning the above-noted breach, the questions of <name> which you declined to answer as irrelevant, I find are germane and should be addressed. This included:
a. Information concerning information policies and standards
b. Backup, archival and storage mechanisms.
c. As required by <name>, details as to your:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioural analysis tools, log analysis tools, or audit tools;
14. In light of the basis for the above-noted breach, please provide documentation as to training and awareness delivered to employees and contractors.
15. What data loss prevention measures do you utilise to prevent the type of harm that led to this breach?
Upon receipt of your answers, I will analyse the information received before deciding on next steps in the investigation, including on whether or not an in situ inspection is needed. If I decide to draw up a report of findings, you will have a chance to respond to the draft report before it is published. This includes the opportunity to identify any business confidential information that should not be made public. You may also include in your response to this letter an indication of any information that should be treated as business confidential. I underline that business confidentiality as such is not a reason to withhold information from this investigation.
A copy of this letter will be sent to <name DPO>.
Inspector – <jurisdiction> DPA
(Originally posted on LinkedIn, March 9 2017)
I had drafted a letter a few years ago detailing the worst kind of personal information access request that a Canadian company could receive under PIPEDA. I thought it might be useful to update that as a subject access request under GDPR, and present it as a worst-case situation (with thanks to Paul Breitbarth for reviewing this and offering some insights from a regulator’s point of view). You might simply use this to make a case to your organization about what it could potentially receive.
A more interesting use would be to use this letter for a table-top exercise, similar to those used for data breaches, to see how your organization would respond. It might be very entertaining to have this kind of letter actually sent by a friendly party to your own organization to see exactly how it would be responded to – would the privacy office get alerted? How would the organization respond to someone knowledgeable about both the law and the technologies being used to support data management? Edit as appropriate to create the nightmare of your choosing. A future installment will address the nightmare of rectification, erasure and portability :-).
The nightmare letter:
I am writing to you in your capacity as data protection officer for your company. I am a customer of yours, and in light of recent events, I am making this request for access to personal data pursuant to Article 15 of the General Data Protection Regulation. I am concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to <latest nasty cybersecurity event or thing in the news>.
I am including a copy of documentation necessary to verify my identity. If you require further information, please contact me at my address above.
I would like you to be aware at the outset, that I anticipate reply to my request within one month as required under Article 12, failing which I will be forwarding my inquiry with a letter of complaint to the <appropriate data protection authority>.
Please advise as to the following:
1. Please confirm to me whether or not my personal data is being processed. If it is, please provide me with the categories of personal data you have about me in your files and databases.
a. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store.
b. Additionally, please advise me in which countries my personal data is stored, or accessible from. In case you make use of cloud services to store or process my data, please include the countries in which the servers are located where my data are or were (in the past 12 months) stored.
c. Please provide me with a copy of, or access to, my personal data that you have or are processing.
2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of my personal data.
3. Please provide a list of all third parties with whom you have (or may have) shared my personal data.
a. If you cannot identify with certainty the specific third parties to whom you have disclosed my personal data, please provide a list of third parties to whom you may have disclosed my personal data.
b. Please also identify which jurisdictions that you have identified in 1(b) above that these third parties with whom you have or may have shared my personal data, from which these third parties have stored or can access my personal data. Please also provide insight in the legal grounds for transferring my personal data to these jurisdictions. Where you have done so, or are doing so, on the basis of appropriate safeguards, please provide a copy.
c. Additionally, I would like to know what safeguards have been put in place in relation to these third parties that you have identified in relation to the transfer of my personal data.
4. Please advise how long you store my personal data, and if retention is based upon the category of personal data, please identify how long each category is retained.
5. If you are additionally collecting personal data about me from any source other than me, please provide me with all information about their source, as referred to in Article 14 of the GDPR.
6. If you are making automated decisions about me, including profiling, whether or not on the basis of Article 22 of the GDPR, please provide me with information concerning the basis for the logic in making such automated decisions, and the significance and consequences of such processing.
7. I would like to know whether or not my personal data has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach.
a. If so, please advise as to the following details of each and any such breach:
i. a general description of what occurred;
ii. the date and time of the breach (or the best possible estimate);
iii. the date and time the breach was discovered;
iv. the source of the breach (either your own organization, or a third party to whom you have transferred my personal data);
v. details of my personal data that was disclosed;
vi. your company’s assessment of the risk of harm to myself, as a result of the breach;
vii. a description of the measures taken or that will be taken to prevent further unauthorized access to my personal data;
viii. contact information so that I can obtain more information and assistance in relation to such a breach, and
ix. information and advice on what I can do to protect myself against any harms, including identity theft and fraud.
b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as
i. Encryption of my personal data;
ii. Data minimization strategies; or,
iii. Anonymization or pseudonymization;
iv. Any other means
8. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal data, such as whether you adhere to ISO27001 for information security, and more particularly, your practices in relation to the following:
a. Please inform me whether you have backed up my personal data to tape, disk or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal data from loss or theft, and whether this includes encryption.
b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal data has been disclosed, including but not limited to the following:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
v. Behavioural analysis tools, log analysis tools, or audit tools;
9. In regards to employees and contractors, please advise as to the following:
a. What technologies or business procedures do you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal data outside your company, through e-mail, web-mail or instant messaging, or otherwise.
b. Have you had had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal data inappropriately, or if you are unable to determine this, of any customers, in the past twelve months.
c. Please advise as to what training and awareness measures you have taken in order to ensure that employees and contractors are accessing and processing my personal data in conformity with the General Data Protection Regulation.
(Originally posted on LinkedIn, March 6 2017)
As I mentioned in my first article, I have noted the curious reluctance for many organisations to simply get started on their GDPR compliance, and that they are still looking for budget. I have observed another outcome from the late start that is being made in relation to GDPR, and that is the desire for a ‘silver bullet’. This is represented by the rush to buy something – typically something to manage privacy impact assessments – that could be presented to management as a concrete step to complying with the GDPR.
I have a few – well, a lot – of concerns about this approach:
Article 35 mandates the need to do a data protection impact assessment (DPIA) where there is a high risk to the rights and freedoms of individuals, or systemic profiling, or processing on a large scale. This will obviously require many organisations to put in place processes to ensure that these requirements are met. Guidance and developments will continue in regards to when DPIAs are required and when they are not.
While DPIAs are important, they are one element of GDPR compliance. Compliance is an outcome from doing the right things, and the ‘right things’ are rarely ‘one thing.’ For the GDPR, it includes setting up training, ensuring vendors are properly managed, provided appropriate notices, having a good breach response…and on and on. It is about doing all these things and documenting that you have done them.
The problem is that this is work. A lot of it. And – it requires time, which organisations have begun to realize is in short supply now that we have fourteen months to GDPR coming into effect. I am not sure that a PIA solution is the right way to go unless you are actually facing a volume issue that your current processes cannot manage. There are many things that need to be done, and to really begin the dealing with GDPR (if you are still just getting started), take a look at some of the guidances that have come out. One in particular is from the UK’s ICO, that provides a nice way to communicate the challenge to your management – and make it clear that there is no silver bullet: